MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 16


Intelligence 16 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
SHA3-384 hash: 41d4c32ac36f245b39e34ffa4cee2e49dc41e9f6af077d67b5ce1c77f5d6ba1cbc46c514f6ad6ba2ac3e23fd87441bfa
SHA1 hash: afc28da734d88a4fe2bdc2996d402e9803c319d7
MD5 hash: aba99863a5a6a720cd6db12e4ff158ff
humanhash: orange-edward-cola-west
File name:loader_go_upx.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:314'368 bytes
First seen:2026-01-11 07:46:38 UTC
Last seen:2026-01-11 09:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (312 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:fqgKSAZLdUr7/ULre5ONsepbFNsMCgTZrBLorBKJQ:fq3nnWCxjtPsvIrBW4
Threatray 3 similar samples on MalwareBazaar
TLSH T1CB6422CA43178520F9E90DFFEB4832A5C9E5E9D79D83261D60263361EDF0851790DA8B
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter BlinkzSec
Tags:8-149-128-10 exe UPX
File size (compressed) :314'368 bytes
File size (de-compressed) :893'440 bytes
Format:win64/pe
Unpacked file: 8a5175036316cf8fd92551b400a3b062c6e48e0da3cda66dcf95ab2305aa8dfe

Intelligence

File Origin
# of uploads :
3
# of downloads :
108
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/31f10bcc-bbb0-4953-9b5f-9e08d22e9509/
Malware family:
n/a
ID:
1
File name:
loader_go_upx.exe
Verdict:
No threats detected
Analysis date:
2026-01-11 07:48:56 UTC
Tags:
upx golang
Link:
https://app.any.run/tasks/338259b5-a4bf-4d47-ab65-b8d36898f65c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48514/
Detection(s):
SecuriteInfo.com.FileRepMalware.78168227.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6963558925868a22ed6aca3a
Tags:
cobaltstrike cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed packed packed upx
Link:
https://www.filescan.io/uploads/6963558530368802bb7fe34d/reports/bf13bd44-0af6-41a8-91bb-72d85f7253cc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-11T04:57:00Z UTC
Last seen:
2026-01-12T12:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win64.Shelma.a HEUR:Trojan.Win64.Goshell.gen HEUR:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/050c368b-d2d2-491b-932a-9a0007b40d03
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/aba99863a5a6a720cd6db12e4ff158ff
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5/
Verdict:
Malicious
Threat:
Family.COBALTSTRIKE
Link:
https://tip.neiki.dev/file/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Suspicious
First seen:
2026-01-11 07:40:06 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpqnpcaiaacc232kzishfpx6ymzq3ekyd3f7d67fi76p3vxhwxkq._file
Verdict:
malicious
Label(s):
metasploit
Create hunting rule
Similar samples:
3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
Meterpreter
5e7e9abda6651fea9fa822fe62e132563fc2c4e4581a1f7cdd01367eb506f0bb
Meterpreter
error
Meterpreter
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit backdoor trojan upx
Link:
https://tria.ge/reports/260111-jmnswaes4h/
Behaviour
UPX packed file
Cobaltstrike
Cobaltstrike family
MetaSploit
Metasploit family
Malware Config
C2 Extraction:
http://M1�H��H��H��H��A������H��jAXL��H��A���ta��H��@:1220708680H��M1�jAXH��A���_��H�� ^��j@AYh
8.149.128.10:443
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/b479e626-6fb8-46c1-84c0-c4e2282bdc0c
Unpacked files
SH256 hash:
3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5
MD5 hash:
aba99863a5a6a720cd6db12e4ff158ff
SHA1 hash:
afc28da734d88a4fe2bdc2996d402e9803c319d7
Link:
https://www.unpac.me/results/096d7adf-56b1-4600-b133-b0e99f4d9cd6/
SH256 hash:
8a5175036316cf8fd92551b400a3b062c6e48e0da3cda66dcf95ab2305aa8dfe
MD5 hash:
e503f9f817e2c64c082460fd575715a6
SHA1 hash:
c731808053795cbaaa640407a0d8c881737041b5
Link:
https://www.unpac.me/results/096d7adf-56b1-4600-b133-b0e99f4d9cd6/
Malware family:
Metasploit
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3be0d7880800/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Meterpreter

Executable exe 3be0d7880800042d6f4aca2472befec3330d91581ecbf1fbe547fcfdd6e7b5d5

(this sample)

Meterpreter

Executable exe 8a5175036316cf8fd92551b400a3b062c6e48e0da3cda66dcf95ab2305aa8dfe

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3756083/
Cape
Cape
https://www.capesandbox.com/analysis/48514/
  
Dropping
SHA256 8a5175036316cf8fd92551b400a3b062c6e48e0da3cda66dcf95ab2305aa8dfe
  
Dropping
MD5 e503f9f817e2c64c082460fd575715a6

Comments